Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28456

New implementation for the encrypted (AES) blob provider

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.10-HF21, 11.1
    • Component/s: BlobManager
    • Release Notes Summary:
      A new implementation for the encrypted (AES) blob provider is available.
    • Backlog priority:
      700
    • Upgrade notes:
      Hide

      A new blob provider org.nuxeo.ecm.core.blob.AESBlobProvider is available.

      It has the same configuration properties as the old org.nuxeo.ecm.core.blob.binary.AESBinaryManager.

      To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password using PBKDF2 (in which case each stored file contains a different salt for security reasons).

      The blob provider configuration holds the keystore information to retrieve the AES key, or the password that is used to generate a per-file key using PBKDF2. 

      For keystore use, the following properties are available:

      • keyStoreType: the keystore type, for instance JCEKS
      • keyStoreFile: the path to the keystore, if applicable
      • keyStorePassword: the keystore password
      • keyAlias: the alias (name) of the key in the keystore
      • keyPassword: the key password

      And for PBKDF2 use:

      • password: the password

      In addition, the following property may be specified to define where the encrypted blobs are stored:

      • path: the filesystem path for the storage (if relative, under nxserver/data). The default is binaries.

      For backward compatibility, the encryption properties can also be included in the <property name="key">prop1=value1,prop2=value2,...</property> of the blob provider configuration.

      Show
      A new blob provider org.nuxeo.ecm.core.blob.AESBlobProvider is available. It has the same configuration properties as the old org.nuxeo.ecm.core.blob.binary.AESBinaryManager . To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password using PBKDF2 (in which case each stored file contains a different salt for security reasons). The blob provider configuration holds the keystore information to retrieve the AES key, or the password that is used to generate a per-file key using PBKDF2.  For keystore use, the following properties are available: keyStoreType : the keystore type, for instance JCEKS keyStoreFile : the path to the keystore, if applicable keyStorePassword : the keystore password keyAlias : the alias (name) of the key in the keystore keyPassword : the key password And for PBKDF2 use: password : the password In addition, the following property may be specified to define where the encrypted blobs are stored: path : the filesystem path for the storage (if relative, under nxserver/data ). The default is  binaries . For backward compatibility, the encryption properties can also be included in the <property name="key">prop1=value1,prop2=value2,...</property> of the blob provider configuration.
    • Sprint:
      nxFG 11.1.11

      Description

      When using an encrypted binary manager like AESBinaryManager is used, temporary files are created in $DATA/binaries/tmp with the clear version of the files

      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_1408218792246778164.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_1632870049031419390.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_224213507322968208.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 34960 Oct 29 16:22 nxserver/data/binaries/tmp/bin_236964128159098082.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:22 nxserver/data/binaries/tmp/bin_3666157129495999547.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_3863882643970085669.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_6265926432627041060.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 34960 Oct 29 16:09 nxserver/data/binaries/tmp/bin_7113531504103435431.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 15:57 nxserver/data/binaries/tmp/bin_7791077638803292109.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:09 nxserver/data/binaries/tmp/bin_7839008301594541886.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 34960 Oct 29 16:22 nxserver/data/binaries/tmp/bin_8278480127780447852.tmp
      -rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:22 nxserver/data/binaries/tmp/bin_9138390679702223470.tmp

      These files are not deleted immediately and sometimes remains in the tmp folder for a very long time. This is due to the usage of Framework.trackFile

      I've observed that some files remains even if I perform a full GC.

      Can't we find a more robust way of deleting these temporary files?

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days
                  3d

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.